The Great Trinomial Hunt* 
o' 

C\| ' Richard P. Brent and Paul Zimmermann 

>V 

ctf ■ 20 October 2009 



1 Introduction 

H. 

^^ ■ A trinomial is a polynomial in one variable with three nonzero terms, for 

c| ! example P = 6x 7 + 3x 3 — 5. If the coefficients of a polynomial P (in this 

case 6,3,-5) are in some ring or field F, we say that P is a polynomial 
over F, and write P G F[x]. The operations of addition and multiplication 
of polynomials in F[x] are defined in the usual way, with the operations on 
coefficients performed in F. 
£> ■ Classically the most common cases are F = Z,Q,R or C, respectively 

the integers, rationals, reals or complex numbers. However, polynomials 

qv | over finite fields are also important in applications. We restrict our atten- 

tion to polynomials over the simplest finite field: the field GF(2) of two 

If} ■ elements, usually written as and 1. The field operations of addition and 

multiplication are defined as for integers modulo 2, so + 1 = 1, 1 + 1 = 0, 
0x1 = 0, 1x1 = 1, etc. 

An important consequence of the definitions is that, for polynomials 
P,Q € GF(2)[x], we have 

X 

^: (p + q) 2 = p 2 + q 2 

because the "cross term" 2PQ vanishes. High school algebra would have 
been much easier if we had used polynomials over GF(2) instead of over R! 
Trinomials over GF(2) are important in cryptography and random num- 
ber generation. To illustrate why this might be true, consider a sequence 
(zo, Z\, Z2, ■ ■ •) satisfying the recurrence 

z n = z n - s + z n _ r mod 2, (1) 
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where r and s are given positive integers, r > s > 0, and the initial values 
zo,zi, . . . , z r _\ are also given. The recurrence then defines all the remaining 
terms z r , z r+ \, ... in the sequence. 

It is easy to build hardware to implement the recurrence (pQ). All we 
need is a shift register capable of storing r bits, and a circuit capable of 
computing the addition mod 2 (equivalently, the "exclusive or" ) of two bits 
separated by r — s positions in the shift register and feeding the output back 
into the shift register. 

The recurrence ([I]) looks similar to the well-known Fibonacci recurrence 

F n = Fn-l + Fn-2', 

indeed the Fibonacci numbers mod 2 satisfy our recurrence with r = 2, 
s = 1. This gives a sequence (0,1,1,0,1,1,...) with period 3: not very 
interesting. However, if we take r larger we can get much longer periods. 

The period can be as large as 2 r — 1, which makes such sequences interest- 
ing as components in pseudo-random number generators or stream ciphers. 
In fact, the period is 2 r — 1 if the initial values are not all zero and the 
associated trinomial 

x r + x s + 1, 

regarded as a polynomial over GF(2), is primitive. A primitive polynomial 
is one that is irreducible (it has no nontrivial factors), and satisfies an ad- 
ditional condition given in the "Mathematical Foundations" section below. 

A Mersenne prime is a prime of the form 2 r — 1 . Such primes are named 
after Marin Mersenne (1588-1648), who corresponded with many of the 
scholars of his day, and in 1644 gave a list (not quite correct) of the Mersenne 
primes with r < 257. 

A Mersenne exponent is the exponent r of a Mersenne prime 2 r — 1. A 
Mersenne exponent is necessarily prime, but not conversely. For example, 
11 is not a Mersenne exponent because 2 11 — 1 = 23 • 89 is not prime. 

The topic of this article is a search for primitive trinomials of large de- 
gree r, and its interplay with a search for large Mersenne primes. First, we 
need to explain the connection between these two topics, and briefly describe 
the GIMPS project. Then we describe the algorithms used in our search, 
which can be split into two distinct periods, "classical" and "modern". Fi- 
nally, we describe the results obtained in the modern period. 



2 Mathematical Foundations 

As stated above, we consider polynomials over the finite field GF(2). An 
irreducible polynomial is a polynomial that is not divisible by any non-trivial 
polynomial other than itself. For example x 5 + x 2 + 1 is irreducible, but 
x 5 + x + 1 is not, since x 5 + x + 1 = (x 2 + x + l)(x 3 + x 2 + 1) in GF(2)[x]. 
We do not consider binomials x r + 1, because they are divisible by x + 1, 
and thus reducible for r > 1. 

An irreducible polynomial P of degree r > 1 yields a representation of 
the finite field GF(2 r ) of 2 r elements: any polynomial of degree less than 
r represents an element, the addition is polynomial addition, whose result 
still has degree less than r, and the multiplication is defined modulo P: one 
first multiplies both inputs, and then reduces their product modulo P. Thus 
GF(2 r )~GF(2)[x]/P(x). 

An irreducible polynomial P of degree r > over GF(2) is said to be 
primitive iff P(x) ^ x and the residue classes x mod P, < k < 2 r — 1, 
are distinct. In order to check primitivity of an irreducible polynomial P, it 
is only necessary to check that x k ^ 1 mod P for those k that are maximal 
non-trivial divisors of 2 r — 1. For example, x 5 +x 2 +l is primitive; x 6 +x 3 +l is 
irreducible but not primitive, since x 9 = 1 mod (x 6 + x 3 + 1). Here 9 divides 
2 6 — 1 = 63 and is a maximal divisor as 63/9 = 7 is prime. 

We are interested in primitive polynomials because x is a generator of 
the multiplicative group of the finite field GF(2) [x]/P(x) if -P(x) is primitive. 

If r is large and 2 r — 1 is not prime, it can be difficult to test primitivity 
of a polynomial of degree r, because we need to know the prime factors of 
2 r — 1. Thanks to the Cunningham project |20J, these are known for all 
r < 887, but not in general for larger r. On the other hand, if 2 r — 1 is 
prime, then all irreducible polynomials of degree r are primitive. This is the 
reason why we consider degrees r that are Mersenne exponents. 

3 Starting the Search 

In the year 2000 the authors were communicating by email with each other 
and with Samuli Larvala when the topic of efficient algorithms for testing 
irreducibility or primitivity of trinomials over GF(2) arose. The first author 
had been interested in this topic for many years because of the application 
to pseudo-random number generators. Publication of a paper by Kumada 
et al. [T5] , describing a search for primitive trinomials of degree 859 433 (a 
Mersenne exponent), prompted the three of us to embark on a search for 



primitive trinomials of degree r, for r ranging over all known Mersenne expo- 
nents. At that time, the largest known Mersenne exponents were 3 021377 
and 6 972 593. The existing programs took time proportional to r 3 . Since 
(6972593/859433) 3 ~ 534, and the computation by Kumada et al. had taken 
three months on 19 processors, it was quite a challenge. 

4 The GIMPS project 

GIMPS stands for Great Internet Mersenne Prime Search. It is a dis- 
tributed computing project started by George Woltman, with home page 
[www . mersenne . org} The goal of GIMPS is to find new Mersenne primes. 
As of December 2009, GIMPS has found 13 new Mersenne primes in 13 
years, and has held the record of the largest known prime since the discov- 
ery of M35 in 1996. Mersenne primes are usually numbered in increasing 
order of size: M x = 2 2 - 1 = 3, M 2 = 2 3 - 1 = 7, M 3 = 2 5 - 1 = 31, 
M 4 = 2 7 - 1 = 127, . . . , M 38 = 2 6972593 - 1, etc. 

Since GIMPS does not always find Mersenne primes in order, there can 
be some uncertainty in numbering the largest known Mersenne primes. We 
write M' n for the n-th Mersenne prime in order of discovery. There are gaps 
in the search above M 39 = 2 13466917 - 1. Thus we can have M' n > M' n+l 
for n > 39. For example, M^ 5 = 2 43112609 - 1 was found before M' m = 
2 37i56667 _ x and M ^ = 2 4264380i _ L At the time of writing this article, 47 
Mersenne primes are known, and the largest is M^ 5 = 2 43112609 — 1. 

It is convenient to write r n for the exponent of M n , and r' n for the 
exponent of M' n . For example, r' i5 = 43 112 609. 

5 Swan's Theorem 

We state a useful theorem, known as Swan's theorem, although the result 
was found much earlier by Pellet [H] and Stickelberger |18| . In fact, there 
are several theorems in Swan's paper [19J. We state a simplified version of 
Swan's Corollary 5. 

Theorem 1. Let r > s > 0, and assume r + s is odd. Then T TtS (x) = 
x r + X s + 1 has an even number of irreducible factors over GF(2) in the 
following cases: 

a) r even, r 7^ 2s, rs/2 = or 1 mod 4. 

b) r odd, s not a divisor of2r, r = ±3 mod 8. 

c) r odd, s a divisor of2r, r = ±1 mod 8. 

In all other cases x r + x s + 1 has an odd number of irreducible factors. 



If both r and s are even, then T r ^ s is a square and has an even number 
of irreducible factors. If both r and s are odd, we can apply the theorem 
to the "reciprocal polynomial" T r>r ^ s (x) = x T T(l/x) = x r + x r ~ s + 1, since 
T ra {x) and T r ^ r _ a {x) have the same number of irreducible factors. 

For r an odd prime, and excluding the easily-checked cases s = 2 or 
r — 2, case (b) says that the trinomial has an even number of irreducible 
factors, and hence must be reducible, if r = ±3 mod 8. Thus, we only need 
to consider those Mersenne exponents with r = ±1 mod 8. Of the 14 known 
Mersenne exponents r > 10 6 , only 8 satisfy this condition. 

6 Cost of the Basic Operations 

The basic operations that we need are squarings modulo the trinomial T = 
x r + x s + l, multiplications modulo T, and greatest common divisors (GCDs) 
between T and a polynomial of degree less than r. We measure the cost of 
these operations in terms of the number of bit or word-operations required 
to implement them. In GF(2)[x], squarings cost 0(r), due to the fact that 
the square of x % + x J is x 2t + x 2j . The reduction modulo T of a polynomial 
of degree less than 2r costs 0(r), due to the sparsity of T; thus modular 
squarings cost 0(r). 

Modular multiplications cost 0(M(r)), where M(r) is the cost of mul- 
tiplication of two polynomials of degree less than r over GF(2); the reduc- 
tion modulo T costs 0(r), so the multiplication cost dominates the reduc- 
tion cost. The "classical" polynomial multiplication algorithm has M{r) = 
0(r 2 ), but an algorithrro due to Schonhage has M(r) = 0(r log r log log r) |16j . 

A GCD computation for polynomials of degree bounded by r costs 
0(M(r) log r) using a "divide and conquer" approach combined with Schonhage's 
fast polynomial multiplication. The costs are summarized in Table 1. 



modular squaring 

modular product 

GCD 



0(r) 

0(M(r)) 

0(M(r) log r) 



Table 1: Cost of the basic operations. 



1 This algorithm differs from the Schonhage- Strassen integer-multiplication algorithm, 
which does not work over GF(2). For details see [2lll6|. 



7 Testing Irreducibility 

Let P r (x) = x 2 — x. As was known to Gauss, P r (x) is the product of all 
irreducible polynomials of degree d, where d runs over the divisors of r. For 
example, 

P 3 (x) = x(x + l)(x 3 + x + l)(x 3 + x 2 + 1) 

in GF(2)[x]. Here x and x + 1 are the irreducible polynomials of degree 1, 
and the other factors are the irreducible polynomials of degree 3. Note that 
we can always write "+" instead of "— " when working over GF(2), since 
1 = — 1 (or, equivalently, 1 + 1 = 0). 

In particular, if r is an odd prime, then a polynomial P(x) 6 GF(2)[x] 
with degree r is irreducible iff 

x = x mod P(x) . (2) 

(If r is not prime, then ([2]) is necessary but not sufficient: we have to check 
a further condition to guarantee irreducibility, see [8].) 

When r is prime, equation ([2]) gives a simple test for irreducibility (or 
primitivity, in the case that r is a Mersenne exponent): just perform r 
modular squarings, starting from x, and check if the result is x. Since the 
cost of each squaring is 0(r), the cost of the irreducibility test is 0(r 2 ). 

There are more sophisticated algorithms for testing irreducibility, based 
on modular composition [11] and fast matrix multiplication [3]. However, 
these algorithms are actually slower than the classical algorithm when ap- 
plied to trinomials of degree less than about 10 7 . 

When searching for irreducible trinomials of degree r, we can assume 
that s < r/2, since x r + x s + 1 is irreducible iff the reciprocal polynomial 
x r + x r ~ s + 1 is irreducible. This simple observation saves a factor of 2. In 
the following, we always assume that s < r/2. 

8 Degrees of Factors 

In order to predict the expected behaviour of our algorithm, we need to know 
the expected distribution of degrees of irreducible factors. Our complexity 
estimates are based on the assumption that trinomials of degree r behave 
like the set of all polynomials of the same degree, up to a constant factor: 

Assumption 1. Over all trinomials x r + x s + 1 of degree r over GF(2) ; the 
probability tt^ that a trinomial has no non-trivial factor of degree < d is at 
most c/d, where c is an absolute constant and 1 < d < r/lnr. 



This assumption is plausible and in agreement with experiments, though 
not proven. It is not critical, because the correctness of our algorithms does 
not depend on the assumption - only the predicted running time depends 
on it. The upper bound r/lnr on d is large enough for our application to 
predicting the running time. An upper bound of r on d would probably be 
incorrect, since it would imply at most c irreducible trinomials of degree r, 
but we expect this number to be unbounded. 

Some evidence for the assumption, in the case r = r^s, is presented in 
Table 2. The maximum value of dnd is 2.08, occurring at d = 226 887. It 
would be interesting to try to explain the exact values of dn^ for small d, 
but this would lead us too far afield. 



d 


dir d 


1 


1.00 


2 


1.33 


3 


1.43 


4 


1.52 


5 


1.54 


6 


1.60 


7 


1.60 


8 


1.67 


9 


1.64 


10 


1.65 


100 


1.77 


1000 


1.76 


10000 


1.88 


226887 


2.08 



Table 2: Statistics for r = r^g 



9 Sieving 



When testing a large integer N for primality, it is sensible to check if it has 
any small factors before applying a primality test such as the AKS, ECPP, 
or (if we are willing to accept a small probability of error) Rabin-Miller test. 
Similarly, when testing a high-degree polynomial for irreducibility, it is wise 
to check if it has any small factors before applying the 0(r 2 ) test. 

Since the irreducible polynomials of degree d divide Pd(x), we can check 



if a trinomial T has a factor of degree d (or some divisor of d) by computing 

gcd(T,P d ). 

If T = x r + x s + 1 and 2 rf < r, we can reduce this to the computation of a 
GCD of polynomials of degree less than 2 d . Let d' = 2 d — 1, r' = r mod d', 
s' = s mod d! . Then P^ = x(x d — 1), 

T = /+/ + lmod(/ -1), 

so we only need to compute 

gcd(x r ' +x s> + l,x d ' - 1). 

We call this process "sieving" by analogy with the process of sieving out 
small prime factors of integers, even though it is performed using GCD 
computations. 

If the trinomials that have factors of degree less than log 2 (r) are excluded 
by sieving, then by Assumption Q] we are left with 0(r/ log r) trinomials to 
test. The cost of sieving is negligible. Thus the overall search has cost 
0(r 3 / log r). 

10 The Importance of Certificates 

Primitive trinomials of degree r < r^ = 756 839 are listed in Heringa et 
al. [10]. Kumada et al. p2] reported a search for primitive trinomials of 
degree r^ = 859433 (they did not consider r^)- They found one primitive 
trinomial; however they missed the trinomial x 859433 + x 170340 + 1, because 
of a bug in their sieving routine. We discovered the missing trinomial in 
June 2000 while testing our program on the known cases. 

This motivated us to produce certificates of reducibility for all the tri- 
nomials that we tested (excluding, of course, the small number that turned 
out to be irreducible). A certificate of reducibility is, ideally, a non-trivial 
factor. If a trinomial T is found by sieving to have a small factor, then 
it is easy to keep a record of this factor. If we do not know a factor, but 
the trinomial fails the irreducibility test ([2]), then we can record the residue 
R{x) = x 2 — x mod T. Because the residue can be large, we might choose 
to record only part of it, e.g., R(x) mod x 32 . 



11 The Classical Period 

The period 2000-2003 could be called the classical period. We used efficient 
implementations of the classical algorithms outlined above. Since different 
trinomials could be tested on different computers, it was easy to conduct a 
search in parallel, using as many processors as were available. For example, 
we often made use of PCs in an undergraduate teaching laboratory during 
the vacation, when the students were away. 

In this way, we found three primitive trinomials of degree r^ = 756 839 
(in June 2000), two of degree r 37 = 3 021377 (August and December 2000), 
and one of degree r^g = 6 972 593 (in August 2002)q The computation for 
degree r 38 was completed and double-checked by July 2003. 

For degree r^s = 6 972 593, there turned out to be only one primitive tri- 
nomial x r + x s + 1 (assuming, as usual, that s < r/2]f|. How can we be sure 
that we did not miss any? For each non-primitive trinomial we had a cer- 
tificate, and these certificates were checked in an independent computation. 
In fact, we found a small number of discrepancies, possibly due to memory 
parity errors in some of the older PCs that were used. This is a risk in any 
long computation - we should not assume that computers are infallible. The 
same phenomenon was observed by Nicely [13] in his computation of Brun's 
constant (which also uncovered the infamous "Pentium bug"). 

Since we had caught up with the GIMPS project, we thought (not for 
the last time) that this game had finished, and published our results in [HH]. 
However, GIMPS soon overtook us by finding several larger Mersenne primes 
with exponents ±1 mod 8: r' 41 = 24036 583, . . . ,r' u = 32 582 657. 

The search for degree r^g = 6 972 593 had taken more than two years 
(February 2001 to July 2003), so it did not seem feasible to tackle the new 
Mersenne exponents r' 41 , . . . , r' iA . 

12 The Modern Period 

We realised that, in order to extend the computation, we had to find more 
efficient algorithms. The expensive part of the computation was testing 
irreducibility using equation ([2]). If we could sieve much further, we could 



2 Primitive trinomials of degree r$4, r^ and r36 were ruled out by Swan's theorem, as 
were r^ and r' i0 . 

3 The unique primitive trinomial of degree 6 972 593 is x 6972593 + ^3037958 + ^ It was 
named Bibury after the village that the three authors of [5] were visiting on the day that 
it was discovered. 



avoid most of the irreducibility tests. From Assumption [H if we could sieve 
to degree r/lnr, then we would expect only O(logr) irreducibility tests. 

What we needed was an algorithm that would find the smallest factor 
of a sparse polynomial (specifically, a trinomial) in a time that was fast on 
average. 

There are many algorithms for factoring polynomials over finite fields, 
see for example [8]. The cost of most of them is dominated by GCD com- 
putations. However, it is possible to replace most GCD computations by 
modular multiplications, using a process called blocking (introduced by Pol- 
lard |15j in the context of integer factorization, and by von zur Gathen 
and Shoup [9] for polynomial factorization). The idea is simple: instead 
of computing gcd(T, Pi), ... , gcd(T, P^) in the hope of finding a non-trivial 
GCD (and hence a factor of T), we compute gcd(T, -P1-P2 • • • Pk mod T), and 
backtrack if necessary to split factors if they are not irreducible. Since a 
GCD typically takes about 40 times as long as a modular multiplication for 
r m r 41 , blocking can give a large speedup. 

During a visit by the second author to the first author in February 2007, 
we realised that a second level of blocking could be used to replace most 
modular multiplications by squarings. Since a modular multiplication might 
take 400 times as long as a squaring (for r ~ r 41 ) , this second level of blocking 
can provide another large speedup. The details are described in [6]. Here 
we merely note that m multiplications and m squarings can be replaced 
by one multiplication and m 2 squarings. The optimal value of m is tuq ~ 
^/M(r)/S(r), where M(r) is the cost of a modular multiplication and S(r) is 
the cost of a modular squaring, and the resulting speedup is about mo/2. If 
M(r)/ S(r) = 400, then mo ~ 20 and the speedup over single-level blocking 
is roughly a factor of ten. 

Using these ideas, combined with a fast implementation of polynomial 
multiplication (for details, see [2]) and a subquadratic GCD algorithm, we 
were able to find ten primitive trinomials of degrees r 41 , . . . , r 44 by January 
2008. Once again, we thought we were finished and published our results [?], 
only to have GIMPS leap ahead again by discovering M 45 in August 2008, 
and M 46 and M 47 shortly afterwards. The exponent r 46 was ruled out by 
Swan's theorem, but we had to set to work on degrees 745 = 43 112 609 and 
(later) the slightly smaller r 47 = 42 643 801. 

The search for degree 7*45 ran from September 2008 to May 2009, with 
assistance from Dan Bernstein and Tanja Lange who kindly allowed us to 
use their computing resources in Eindhoven, and resulted in four primitive 
trinomials of record degree. 

The search for degree r 47 ran from June 2009 to August 2009, and found 

10 



five primitive trinomials. In this case we were lucky to have access to a new 
computing cluster with 224 processors at the Australian National University, 
so the computation took less time than the earlier searches. 

The results of our computations in the "Modern Period" are given in 
Table 3. There does not seem to be any predictable pattern in the s values. 
The number of primitive trinomials for a given Mersenne exponent r = 
±1 mod 8 appears to follow a Poisson distribution with mean about 3.2 
(and hence it is unlikely to be bounded by an absolute constant - see the 
discussion of Assumption 1 above). 



r 


s 


24 036 583 


8 412 642,8 785 528 


25 964 951 


880 890, 4 627 670, 4 830 131, 6 383 880 


30 402 457 


2162 059 


32 582 657 


5110 722,5 552 421, 7 545 455 


42 643 801 


55 981, 3 706 066,3 896 488, 




12 899 278, 20150 445 


43112 609 


3 569 337, 4 463 337, 17 212 521, 21 078 848 



Table 3: Primitive trinomials x r + x s + 1 whose degree r is a Mersenne 
exponent, for s < r/2. 



13 The Modern Algorithm — Some Details 

To summarize the "modern" algorithm for finding primitive trinomials, we 
improve on the classical algorithm by sieving much further to find a factor 
of smallest degree, using a factoring algorithm based on fast multiplication 
and two levels of blocking. In the following paragraphs we give some details 
of the modern algorithm and compare it with the classical algorithms. 

Given a trinomial T = x r + x s + 1, we search for a factor of smallest 
degree d < r/2. (In fact, using Swan's theorem, we can usually restrict the 
search to d < r/3, because we know that the trinomial has an odd number 
of irreducible factors.) If such a factor is found, we know that T is reducible, 
so the program outputs "reducible" and saves the factor for a certificate of 
reducibility. The factor can be found by taking the GCD of T and x 2 + x; 
if this GCD is non-trivial, then T has at least one factor of degree dividing 
d. If factors of degree smaller than d have already been ruled out, then the 
GCD only contains factors of degree d (possibly a product of several such 
factors). This is known as distinct degree factorization (DDF). 
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If the GCD has degree Xd for A > 1, and one wants to split the product 
into A factors of degree d, then an equal degree factorization algorithm (EDF) 
is used. If the EDF is necessary it is usually cheap, since the total degree 
Xd is usually small if A > 1. 

In this way we produce certificates of reducibility that consist just of a 
non-trivial factor of smallest possible degree, and the lexicographically least 
such factor if there are severajj. The certificates can be checked, for example 
with an independent program using NTL [T7], much faster than the original 
computation (typically in less than one hour for any of the degrees listed in 
Table 3). 

For large d, when 2 3> r, we do not compute x 2 + x itself, but its 
remainder, say h, modulo T. Indeed, gcd(T, x 2 + x) = gcd(T, h). To 
compute h, we start from x, perform d modular squarings, and add x. In this 
way, we work with polynomials of degree less than 2r. Checking for factors of 
degree d costs d modular squarings and one GCD. Since we check potential 
degrees d in ascending order, x 2 mod T is computed from x 2 mod T, 
which was obtained at the previous step, with one extra modular squaring. 
Thus, from Table 1, the cost per value of d is 0(M(r) logr). However, this 
does not take into account the speedup due to blocking, discussed above. 

The critical fact is that most trinomials have a small factor, so the search 
runs fast on average. 

After searching unsuccessfully for factors of degree d < 10 6 say, we could 
switch to the classical irreducibility test ([2]) , which is faster than factoring if 
the factor has degree greater than about 10 6 . However, in that case our list 
of certificates would be incomplete. Since it is rare to find a factor of degree 
greater than 10 6 , we let the program run until it finds a factor or outputs 
"irreducible" . In the latter case, of course, we can verify the result using the 
classical test. Of the certificates (smallest irreducible factors) found during 
our searches, the largest is a factor P(x) = x 10199457 +x 10199450 +- • ■+x Al +x+1 
of the trinomial x 42643801 + x 3562191 + 1. Note that, although the trinomial 
is sparse and has a compact representation, the factor is dense and hence 
too large to present here in full. 



4 It is worth going to the trouble to find the lexicographically least factor, since this 
makes the certificate unique and allows us to compare different versions of the program 
and locate bugs more easily than would otherwise be the case. 
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14 Classical versus Modern 

For simplicity we use the O notation which ignores log factors. The "clas- 
sical" algorithm takes an expected time 0(r 2 ) per trinomial, or 0(r 3 ) to 
cover all trinomials of degree r. 

The "modern" algorithm takes expected time O(r) per trinomial, or 
0(r 2 ) to cover all trinomials of degree r. 

In practice, the modern algorithm is faster by a factor of about 160 for 
r = r 38 = 6 972 593, and by a factor of about 1000 for r = r' A5 = 43 112 609. 

Thus, comparing the computation for r = 745 with that for r = r^g: using 
the classical algorithm would take about 240 times longer (impractical), but 
using the modern algorithm saves a factor of 1000. 

15 How to Speed up the Search 

The key ideas are summarised here. Points (1)— (4) apply to both the clas- 
sical and modern algorithms; points (5)— (6) apply only to the modern algo- 
rithm. 

1. Since the computations for each trinomial can be performed indepen- 
dently, it is easy to conduct a search in parallel, using as many com- 
puters as are available. 

2. Because the coefficients of polynomials over GF(2) are just or 1, there 
is a one-one correspondence between polynomials of degree < d and 
binary numbers with d bits. Thus, on a 64-bit computer we can encode 
a polynomial of degree d in \(d + l)/64] computer words. If we take 
care writing the programs, we can operate on such polynomials using 
full-word computer operations, thus doing 64 operations in parallel. 

3. Squaring of polynomials over GF(2) can be done in linear time (linear 
in the degree of the polynomial), because the cross terms in the square 
vanish: 



£ 



a k x k = Y^ a kX 2k ■ 



4. Reduction of a polynomial of degree 2(r — 1) modulo a trinomial T = 
x r + x s + 1 of degree r can also be done in linear time. Simply use 
the identity x n = x n+s ~ r + x n ~ r mod T for n = 2r — 2, 2r — 3, . . . , r to 
replace the terms of degree > r by lower-degree terms. 
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5. Most GCD computations involving polynomials can be replaced by 
multiplication of polynomials, using a technique known as "blocking" 
(described above). 

6. Most multiplications of polynomials can be replaced by squarings, us- 
ing another level of blocking, as described in [6]. 

16 Conclusion 

The combination of these six ideas makes it feasible to find primitive trino- 
mials of very large degree. In fact, the current record degree is the same as 
the largest known Mersenne exponent, r = 7*45 = 43112 609. We are ready 
to find more primitive trinomials as soon as GIMPS finds another Mersenne 
prime that is not ruled out by Swan's Theorem. Our task is easier than that 
of GIMPS, because finding a primitive trinomial of degree r, and verifying 
that a single value of r is a Mersenne exponent, both cost about the same: 
0{r 2 ). 

The trinomial hunt has resulted in improved software for operations on 
polynomials over GF(2), and has shown that the best algorithms in theory 
are not always the best in practice. It has also provided a large database of 
factors of trinomials over GF(2), leading to several interesting conjectures 
which are a topic for future research. 
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